Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

Merge branch 'master' of https://github.com/locomotivecms/engine

  • Loading branch information...
commit d9af4c9baa95a619ab1f53940009469ac0be0a52 2 parents a57b860 + 8dfefe5
Guillaume Maury authored
View
1  app/controllers/admin/api_contents_controller.rb
@@ -50,6 +50,7 @@ def block_content_type_with_disabled_api
def sanitize_content_params
(params[:content] || {}).each do |key, value|
+ next unless value.is_a?(String)
params[:content][key] = Sanitize.clean(value, Sanitize::Config::BASIC)
end
end
View
1  doc/TODO
@@ -33,7 +33,6 @@ BUGS:
NICE TO HAVE:
- export site
-
- super_finder
- traffic statistics
- asset picker (content instance)
View
2  lib/locomotive/liquid/filters/html.rb
@@ -66,6 +66,7 @@ def theme_image_tag(input, *args)
Kernel.puts input.inspect
Kernel.puts args.inspect
image_options = inline_options(args_to_options(args))
+
"<img src=\"#{theme_image_url(input)}\" #{image_options}/>"
end
@@ -73,6 +74,7 @@ def theme_image_tag(input, *args)
# input: url of the image OR asset drop
def image_tag(input, *args)
image_options = inline_options(args_to_options(args))
+
"<img src=\"#{get_url_from_asset(input)}\" #{image_options}/>"
end
View
11 spec/controllers/admin/api_contents_controller_spec.rb
@@ -7,6 +7,8 @@
@site.content_types.first.tap do |content_type|
content_type.content_custom_fields.build :label => 'Name', :kind => 'string', :required => true
content_type.content_custom_fields.build :label => 'Description', :kind => 'text'
+ content_type.content_custom_fields.build :label => 'File', :kind => 'file'
+ content_type.content_custom_fields.build :label => 'Active', :kind => 'boolean'
end.save
controller.stubs(:require_site).returns(true)
@@ -64,6 +66,15 @@
content.name.should == "Hacked"
end
+ it 'does not sanitize non string params' do
+ lambda {
+ post 'create', default_post_params(:content => {
+ :active => true,
+ :file => ActionDispatch::Http::UploadedFile.new(:tempfile => FixturedAsset.open('5k.png'), :filename => '5k.png', :content_type => 'image/png')
+ })
+ }.should_not raise_exception
+ end
+
end
end
Please sign in to comment.
Something went wrong with that request. Please try again.